In the protocol_cleanup branch the TLS authentication (via SRP) happens
first, before any messages are sent at all, which should stop that
vulnerability.
We can change who sends the first message. As far as I can tell it
won't make much of a difference [1] anymore, so whatever you like works
for me.
Steven
[1]: The only difference that I can see, and it's a minor one for our
use case, is that we can reduce the number of round trips by deciding
who speaks first after the TLS handshake has finished.
As far as I can tell, the handshake "Finished" message is sent by the
client to the server, and then the server sends a "Finished" message
back to the client. By having the server then send the first message
with application data, we'll reduce our number of round trips by one.
I'd have to test this to make sure, and since the connections are
persistent it's not going to matter.